Hello everyone!

I am the operator of a somewhat recent exit node with SMTP allowed, and I have found out something worth sharing. Let me know if this is already known. As suggested by the Tor documentation, I set a reverse DNS which makes clear that my exit node belongs to the Tor network (tor-exit-readme.manalyzer.org). This week-end, I started to recieve weird e-mail delivery failure notifications, and even a line from a guy kindly asking me to stop sending him mail.

The thing is, I was actually lucky to recieve all those, and I wouldn't have if I didn't have a catch-all address set for the whole domain. Looking at the source of the rejected e-mails, I found out that someone was forging e-mails which look like they come from my domain:

Received: from tor-exit-readme.manalyzer.org (tor-exit-readme.manalyzer.org [95.130.11.147]) by smtp.craigslist.org (Haraka/2.5.0) with ESMTP id 66DDCADC-FEA4-4D62-8F08-2630AC1E0299.1 envelope-from best_pharmacy5@manalyzer.org; Mon, 18 Aug 2014 13:25:12 -0700 From: Levitra-Shop best_pharmacy5@manalyzer.org To: rkdq8-4339052657@hous.craigslist.org Subject: When It Comes Healthcare, Nothing Beats a Hometown Advantage, Rkdq8-4339052657 .

(I got tons of these, all procedurally generated e-mail addresses.) The thing is, these e-mails don't just seem like they're coming from my domain: they ARE coming from my domain, since the machine sending them has a rDNS which belongs to it. From a mail server's perspective, they're actually very legitimate and probably won't be flagged as spam. I believe that someone is listing all the exit nodes which have a reverse DNS set up, and uses the domain to send out unwanted e-mail. This is a problem for operators for the following reasons: - The reputation of your domain is damaged, and legitimate e-mails sent from it may end up discarded - It strenghtens the idea that mail servers blindly reject everything that comes out of a Tor exit node

The good news is, there is something you can do about it. This is exactly what Sender Policy Framework [1] was created for. Long story short, this is some information you can put in your DNS to indicate which machines are allowed to send e-mails for the domains, and which are not (hint: the exit node should not be listed in there). Here is a sample policy which says that only servers registered as MX in your DNS should send e-mails for the domain :

tor-exit.domain.com. IN TXT "v=spf1 mx -all"

If you need something more specific, I have found a nice wizard [2] which will help greatly. If you run an exit node and have a reverse DNS set up, I highly recommend you take ten minutes to look into this. Please note that this will NOT prevent Tor users from sending e-mail or restrain their freedom in any way; it will only prevent ill-intentioned people from spoofing your domain. I also think that there should be a note in the Tor documentation about this issue (I couldn't find anything regarding this).

I hope this helps!

[1] https://en.wikipedia.org/wiki/Sender_Policy_Framework [2] http://www.spfwizard.net/

-- JusticeRage